| All Linux nodes conform to CIS baseline hardening, including
hardened SSH daemon configuration, hardened firewall rules,
hardened TLS cipher suites with TLS v1.2 support, hardened
HTTP/REST interfaces passing all OWASP tests |
The scope of default CIS hardening:
- iptables rules
- SSH configuration and encryption protocols
- TCP/IP stack and network settings
- Linux kernel VFS and file system layer
- Security updates configuration - APT package manager
|
| AppArmor Mandatory Access Control (MAC) framework enables support for
improved security on all Linux nodes |
AppArmor provides improved security for compute
virtual machines by confining workloads and ensuring that different
workloads do not interfere (sVirt Libvirtd Linux capability). |
| Ciphersuite enforcement |
Strong ciphersuite enforcement (SSH, TLS) compatible with FIPS 140-2
and TLS v.1.2. |
| Seamless LDAP/AD integration for secure authentication purposes |
MCP can leverage OpenLDAP and Microsoft Active Directory
for appropriate account security including password policies and
account security policies. |
| Customized RBAC policies for granular access control |
MCP enables customers to develop customized RBAC
policies, meeting sophisticated RBAC requirements for appropriate
separation of duty (SOD) and granular access control to mitigate
EoP attacks. |
| HAProxy for DoS/DDoS attack protection for Web and REST API access |
MCP hides all sensitive API and HTTP web
UI services behind reverse proxy making mitigation of DoS/DDoS
attacks easy to implement and monitor. |
| TLS support with AES128/256 cipher suites and Diffie-Hellman Ephemeral
Key Exchange (ECDHE) |
Diffie-Hellman Ephemeral Cipher Suites support provides forward secrecy,
making MCP resistant to eavesdropping and sniffing attacks. |
| StackLight (LMA toolchain) for improved security analytics and early anomaly
detection |
StackLight provides advanced analytics enabling early anomaly detection. |
| Network security technologies for workloads protection |
A broad range of network security technologies for workloads protection:
FWaaS v2 (experimental), OpenContrail SDN controller integration
for advanced network service chaining and security services |
| CADF integration for out of the box auditing capabilities |
CADF framework incorporated into MCP enables auditing capabilities to
to mitigate repudiation and tampering threats sensitive information assets. |
| Enhanced auditing and security intelligence capabilities through
integration with third-party SIEM and Security Intelligence tools |
Security intelligence solutions offers improved visibility and
advanced analytics of cloud events. All events related to cloud
operations, privileged user operations, sensitive asset operations
are monitored and analyzed in almost real-time. In case suspicious
activity occurs, alarm events are triggered. |
| TLS Mutual Authentication for improved API and web access security |
Mutual TLS Authentication along with TLS v1.2 support provides additional
layer of security by mitigation of information disclosure, for example,
Man-In-The-Middle (MITM) attacks. |
| OTP token support (Multi-Factor Authentication) through SAML, OIDC |
Multi-Factor Authentication and integration with a broad range of OTP tokens,
including RSA SecurID, SafeNet, Yubikey provides substantially improved
authentication security when compared to password-only authentication. |
| Federation: SAML 2.0 and OpenID Connect (OIDC) support |
MCP is verified to work with corporate federation solutions
including Microsoft Active Directory, Shibboleth,
IBM Web Sphere Security, Gluu, Ping Federate. |
| Secure network architecture allowing seamless DMZ integration |
MCP flexible network templating mechanisms provides support for DMZ network
topologies for API and Web UI security. |
| PCI DSS, FISMA/FedRamp compliance |
PCI DSS and FISMA/FedRamp compliance is achieved with the help of
QSA/3PAO security services providers to achieve the required level of conformance. |
| Brute-force protection |
Mitigates DoS attack by monitoring networks for brute-force attacks with
relevant HAProxy and Nginx configuration. |